Mandatory data breach notification requirements for medical practice

Carter, David J; Hartridge, Samuel

doi:10.5694/mja17.00577

Topics

Health services administration

Information science

Ethics and law

Mandatory notification laws bring stiff penalties for failures to meet requirements of the notification scheme

The Australian Government has introduced new mandatory disclosure rules, which came into force in February 2018, requiring most health and medical providers to notify patients or others affected when there is a serious data breach that results in unauthorised access to personal information.1 With fines of up to $420 000 for individuals and far higher fines for businesses that fail to report serious data breaches,1 the mismanagement of a breach by a medical practice will potentially be very serious.

1 Law, Health, Justice Research Centre, University of Technology Sydney, Sydney, NSW
2 University of New South Wales, Sydney, NSW

Correspondence: david.carter@uts.edu.au

Competing interests:

Samuel Hartridge is an in-house counsel to ParaFlare, a cybersecurity company.

1. Privacy Act 1988 (Cth); “Notification of Eligible Data Breaches” Part IIIC (ss 26WA-26WT); “Civil Penalties” ss 80W, 13G; “Enforcement powers of the Office of the Australian Information Commissioner” ss 33E, 33F, 52, 55A, 62, 98, 80W.
2. Office of the Australian Information Commissioner. Notifiable data breaches: quarterly statistics report January 2018 – March 2018. Canberra: Commonwealth of Australia, 2018. https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics/Notifiable_Data_Breaches_Quarterly_Statistics_Report_January_2018__March_.pdf (viewed Apr 2018).
3. Ponemon Institute. 2017 Cost of data breach study (Australia). Traverse City, Michigan: SecurityIntelligence, 2017. https://securityintelligence.com/media/2017-ponemon-institute-cost-of-a-data-breach-study/ (viewed May 2018).
4. Office of the Australian Information Commissioner. Australian Community Attitudes to Privacy Survey 2017. Canberra: Commonwealth of Australia, 2017. https://www.oaic.gov.au/engage-with-us/community-attitudes/australian-community-attitudes-to-privacy-survey-2017 (viewed Aug 2017).
5. Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth). https://www.legislation.gov.au/Series/C2004A03712 (viewed May 2018).
6. Explanatory Memorandum, Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth). http://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query=Id%3A%22legislation%2Fems%2Fr5747_ems_ed12b5bb-d3b3-4a6a-9536-53bb459a00df%22 (viewed May 2018).
7. Royal Australian College of General Practitioners. Computer and information security standards: for general practices and other office-based practices, 2013, 2nd ed. Melbourne: RACGP, 2013. https://www.racgp.org.au/your-practice/ehealth/protecting-information/ciss (viewed Oct 2017).
8. Carter DJ. Records access and management on closure of a medical practice. Med J Aust 2015; 203: 109-110. <MJA full text>
9. Medical Board of Australia. Good medical practice: a code of conduct for doctors in Australia. MBA, 2014. http://www.medicalboard.gov.au/Codes-Guidelines-Policies/Code-of-conduct.aspx (viewed May 2017).
10. Aubusson K. Patient privacy breach: over 1600 medical letters found dumped in Sydney bin. Sydney Morning Herald 2017; 21 Apr. http://www.smh.com.au/national/health/patient-privacy-breached-as-over-1400-medical-letters-found-dumped-in-sydney-bin-20170420-gvp8be.html (viewed Feb 2017).

Online responses are no longer available. Please refer to our instructions for authors page for more information.